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[57] ABSTRACT 

Disclosed is a method of authentication of data elements 
of the type that may be needed, for example, to authen- 
ticate a chip card before permitting a transaction instru- 
ment to deliver a service to the holder of this card. 
Should the authentication consist in ascertaining that an 
information content is truly present in the card at a 
determined address of a memory of the card, it is pro- 
posed to make the length of the block of information 
elements parametrizable and to include, in the algo- 
rithm for the encryption of this block, data relating to 
this length; the logic address of the file that contains the 
block and the position of the block in the file are also 
used. Furthermore, preferably a recursive algorithm is 
performed in N steps: the block to be authenticated is 
sliced into slices of fixed length and, at each step, the 
Exclusive-OR function of a slice considered and of the 
result of the preceding step is used as the data to be 
encrypted. FIG. 1. 

9 Claims, 2 Drawing Sheets 
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spondence, it means that the right key Kl is present in 

METHOD FOR THE AUTHENTICATION OF DATA the chip card. If not, the operation is not authorized. 

^ The correspondence may be an identity of Rl and R2, 

BACKGROUND OF THE INVENTION but it may also be a predetermined relationship that is 

1. Field of the Invention 5 not an identity. 

The invention relates to the security of the processing * n another method of authentication, given by way of 

of digitized information elements and, more specifically, an example, the algorithm C(D, K) used in the card to 

it relates to a new method enabling the authentication of obtain the result Rl is not the same as that used in the 

binary data elements contained in a file. reader to obtain the result R2. For example, the algo- 

The expression "method of authentication" is under- 10 rithm of the card is an encryption algorithm C(D1,K1) 

stood herein as a signal-processing operation by which leading to a result RJ. The algorithm contained in the 

it is ascertained that a set of data sought at a certain reader is a decryption algorithm that can be used to 

place really is the expected set of data. If this is the case, recover Dl from Rl, referenced D(R,K). It is possible 

an authorization is issued (for the execution of other to use a known type of algorithm (RSA) that has the 

operations). If it is not the case, a prohibition is issued. 15 following property: a single key K2, different from Kl, 

Methods of electronic authentication are becoming is capable of decrypting the result Rl encrypted with 

ever more necessary with the increasing use of electron- the key Kl. This means that, for each key Kl, a single 

ics in everyday life. Electronic authentication may be key K2 is such that if C(D1, K1)=R1, then D(R1, 

used to enable an authorized person to gain access to K2)=D1. The electronic processing is then as follows: 

confidential information or to reserved premises, or to 20 ^ readef sends a piece Qf ^ m tQ ^ ^ The 

enable transactions directly having a fiduciary value, card encrypts this data with the algorithm C(D, K), 

usuig a personal account etc. ^ its key K1 It sends the fesult R1 tQ ^ 

In particular, electtonic chip cards are being increas- reader< The reader carries out the decrV ption algorithm 

£^^^^ ,e^V, ^ C£U T P ?T M DC", **> ™ th « r «ult. The result is compared with 

SdTiS^Lr TTS J? ^ dat * D1 init ^y sent by the reader. If there is no 

vested with the power to provide such and such a ser- j ^ \ t . , 

vice and that theholder of the card is truly entitled to ^^T^tw" * "ZT* ^S^F* 

use this card. The invention shall be described here n0t °* e * In , hlS what * herefore 

below with reference to a chip card so that it can be * n0t * e ld u Cntlty ° f tw0 encr y?tion keys but the corre- 

understood more easily, but the invention is not re- 30 spondence between an encryption key Klanc Ithe only 

stricted to this example. decryption key K2 that corresponds to it. High security 

2. Description of the Prior Art 1S obtained Wlth system, especially in the case of the 
The exemplary methods of authentication that shall ofthe algorithm RSA which is such that the knowl- 

be given here below are described as examples to show cd S e of the encryption key cannot be used to compute 

the variety of possible situations in which the invention, 35 reverse decryption key and vice versa, so that it is 

which will be explained thereafter, can be applied. possible for one of the two keys to be unprotected. 

In the case of a chip card, for example, the following To increase the security attached to these methods, 

authentication scheme is frequently used: in an internal the data Dl sent by the reader is a random data element, 

non- volatile memory, the card contains a confidential so that it is not possible to draw conclusions from a 

code that is specific to the holder of the card and is 40 succession of fruitless attempts at authentication, 

known to him alone. The card is inserted into a reader The above paragraphs refer to the authentication of a 

that is coupled to a keyboard for the introduction of caf d DV the presence of a secret key that resides in the 

data elements. The holder of the card introduces his- eard. However, it is possible to envisage a case where a 

confidential code through the keyboard. This code is part of the contents of the memory of the card has to be 

transmitted to the card. A comparison is made in the 45 authenticated without there being authorization for the 

card, and the subsequent operation is permitted only if contents to travel in clear form on the link between the 

the code introduced corresponds to the confidential card and the card reader. In this case, it is possible to 

code in memory, envisage, for example, the execution of an encryption 

This is a first level of authentication: the verification algorithm with secret key C(D,K) by using, as a secret 

of the entitlement of the holder. 50 key K, a key contained in the card and, as data D, a 

A second level may consist in ascemining that the piece of information contained in the card rather than 

card is truly entitled to carry out the transaction which (or in addition to) a piece of data sent by the card 

the reader will carry out with it. The card then con- reader. 

tains, in another non-volatile memory zone, a secret key In this case it is necessary, naturally, for the program 

Kl of an encryption algorithm C(D, K) where C is a 55 that is contained in the card and that carries out the 

function of a piece of data D and of a key K. Unlike the algorithm to know the location of the information to be 

personal confidential code which the holder needs to authenticated. This location is designated either by a 

know, the key K is not known to the holder. physical address or by a logic address in a file. 

The card reader sends any piece of data Dl to the It has therefore been proposed to authenticate the 

card. The card contains the encryption program C(D, 60 information by means of an encryption algorithm using, 

K) in its memory. It encrypts the data Dl by means of as a key,. a secret key contained in the card and, as data, 

the secret key Kl, i.e. it performs the function C(D1, several data elements which are notably the contents of 

Kl); and it sends the result Rl to the reader which, in the expected information, the physical or logic address 

the meantime, has encrypted the same data Dl with the at which it should be located and, as the case may be, 

same encryption algorithm C(D,K) and with a key K2 65 the data (for example a random data element) sent by 

which it has in its memory and which should, in princi- the card reader. 

pie, correspond to Kl. The results Rl and R2 of the In a practical way, the information elements that are 

encryption operations are compared. If there is corre- thus certified are data elements of constant length, for 
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example one four-byte word for the information to be transmitted to the card in the instruction and are not 
certified, one word for the address and one word for the written in the card. 



random data element 

SUMMARY OF THE INVENTION 



BRIEF DESCRIPTION OF THE DRAWINGS 



5 Other features and advantages of the invention shall 
It is an aim of the invention to increase the possibili- appear from the following detailed description made 
ties of the method of authentication so that one and the with reference to the appended drawings, of which: 
same chip card (in the case of chip cards) can be used in FIG. 1 shows an example of a system using a memory 
a greater number of applications and, consequently, so card containing data elements to be authenticated; 
that one and the same card can contain information 10 FIG. 2 shows a view, in schematic form, of the split- 
elements to be authenticated that are. very different in ting up of the block of information elements which will 
nature - be used for the authentication; 

According to the invention, there is proposed a FIG. 3 shows a flow chart of the encryption program 
method of authentication that uses data elements to be enabling the authentication, 
authenticated in the form of a block of data elements 15 

contained at a determined location of a determined file, MORE DETAILED DESCRIPTION 

and an encryption program that brings into play, as data The invention shall be described with reference to a 
to be encrypted, the logic address of the file containing particular example. This example should not be taken to 
the block of data elements, the position and the length be an exhaustive one, given the great variety of possible 
of the block of data elements in the file and the actual 20 situations as has been shown in the introduction to this 
contents of the block of data elements. patent application. 

This enables the authentication of the information FIG. 1 shows a memory card 10 comprising essen- 
irrespectively of its size and not just the authentication tialiy a microprocessor MP, memories associated with 
of information with a size fixed beforehand. Therefore, this microprocessor and the interface circuits IF needed 
greater flexibility of use is obtained since it is possible to 25 for communication between the card and the exterior, 
use one and the same card for very different applica- Among the memories associated with the micro- 
tions requiring the authentication of blocks of informa- processor, there are generally a working random-access 
tion elements with a size that can be parametrized as a memory (RAM) 12, a program read-only memory 
function of the application. (ROM) 14 and a non-volatile memory (EPROM or 

For the encryption programs that use data elements 30 EEPROM) 16, electrically programmable and possibly 
of constant length, the information on the size of the electrically erasable. 

block of data elements to be encrypted is used to split up The memory 16 is preferably divided into several 
the information to be encrypted into N slices of constant zones, some of which can be read from the exterior 
length; and an encryption operation is carried out for while others cannot be read from the exterior (and can 
each slice. The encryption program therefore takes 35 be read only by the microprocessor for its own needs), 
account of the size of the block to enable an encryption It may also be divided into programmable and non-pro- 
irrespectively of this size. grammable zones. When a zone is non-programmable, it 

In an advantageous mode of implementation of the means that a recording was done thereon at a given time 
invention, the encryption program uses an algorithm C and that writing access was then permanently blocked 
(D, K) with a secret key K, which is carried out itera- 40 by physical or logic means. 

tively in the following way: The card is designed to communicate with a transac- 

the block of information elements to be authenticated tion instrument 20, the purpose of which is to deliver 
is split up into slices of determined size, the nth services to the holder of the card when he introduces 
order slice being designated by d n ; his-card into the instrument. The operation of the in- 

the encryption algorithm C(D,K) is carried out itera- 45 strument, as far as the provision of services is con- 
tively on data elements which, at a step n, bring cerned, shall not be described since the invention is 
into play the slice d„ and the result P„_i of the limited to aspects relating to the authentication of the 
execution of the algorithm at the previous step card by the instrument. The services, whatever they 
n "~ * • may be, are delivered only after a successful authentica- 

Preferably, at each step, the encryption algorithm is 50 tion of the card, 
carried out on a piece of data which is a simple logic The transaction instrument 20 naturally includes an 
combination, preferably an Exclusive-OR combination, interface circuit IF', capable of communicating with the 
of the sliced,, and the result P„_i of the execution of the corresponding interface circuit of the card 10. The 
algorithm at the previous step. instrument furthermore preferably includes signal pro- 

A step of iterative execution of the algorithm will 55 cessing means similar to those of the card, namely a 
preferably be the execution of the algorithm on a slice microprocessor MP', a working random-access mem- 
of data elements comprising, among other elements, the ory 22, a program read-only memory 24, possibly a 
logic address of the file containing the block as well as non-volatile memory 26. However, these means may be 
the position and the length of the block of data ele- . replaced by a microcomputer or the equivalent thereof, 
ments - ... 60 capable of communicating with the card according to a 

In practice, it is the first step of the iterative execution determined protocol (through the interface IF') to ex- 
of the algorithm that is carried out on the above-men- change information with it 

tioned data elements and, as the case may be, on a data In the example described herein, it will be assumed 
element coming from the application (generally, a data . that the authentication of the card calls for the verifica- 
element coming from the card reader in the case of a 65 tion of the contents of a zone Zl at a determined loca- 
chip card and, preferably, a random data element). It tion of the non-volatile memory 16 of the card. The 
may be noted that, in every case, the logic address of the transaction apparatus will ascertain that a welWeter- 
file, and the position and the length of the block are mined block of information elements Bl is present at 
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this location. And, naturally, this ascertaining should be 
done without making the information elements travel in 
clear form between the card and the reader. 

The memory zone Zl is taken to be inaccessible, for 
both reading and writing, from the exterior of the card. 5 
However, it is accessible for certain well-determined 
operations fixed in the programs contained in the read- 
only memory (ROM) 14 or the EEPROM 16. 

The transaction instrument 20 prepares a random 
data element Dl which it sends to the card. It also sends 10 
the logic address of the file and, according to the inven- 
tion, the size and the position of the block of data ele- 
ments Bl to be authenticated (this size being evaluated 
in number of bytes or in number of words for example). 

By using an encryption algorithm C(D, K) contained 15 
in its program read-only memory, the card will carry 
out an encryption of the block of information elements 
and transmit it to the transaction instrument. For it part, 
the transaction instrument will carry out (in this exem- 
plary embodiment) the same encryption on the same 20 
information elements. 

For the encryption, the card uses a secret key K 
which is in a memory zone Z2 that is inaccessible to 
both reading and writing. Only the microprocessor can 
access this zone, and can do so only during the execu- 25 
tion of the encryption algorithm C(D, K). The memory 
zone Z2 forms part (in principle) of the non-volatile 
memory 16. 

According to the invention, the data D on which the 
encryption with a secret key K is done comprises firstly 30 
the block of information elements to be authenticated 
and, secondly, a piece of data representing the size and 
the position of this block and the logic address of the file 
containing it. It may also include the random data ele- 
ment Dl transmitted by the reader. 35 

Given that the block of information elements has a 
size that may be variable, since therein lies one of the 
most promising features of the invention, it is desirable 
to use an encryption algorithm that is not hampered by 
the fact that the size is variable. It is for this reason that 40 
the invention uses the size of the block Bl, given by the 
system to the card, to take account of this size in the 
encryption program. 

Standard encryption programs such as the algorithm 
DES work on data elements of fixed size and give re- 45 
suits of fixed size. 

To enable the encryption with this type of algorithm, 
preferably there is provision for splitting up the block of 
data elements to be authenticated into slices of fixed size 
and for carrying out an encryption operation in several 50 
steps, sufficient in number to process all the slices. 

According to a particular feature of the invention, it 
is proposed, at each step, to carry out an encryption 
operation not on each slice of the block to be authenti- 
cated but on a simple logic combination of a determined 55 
slice and of the result of the operation carried out in the 
preceding step. The logic combination is preferably an 
Exclusive-OR combination. 

In other words, the card splits up the block of data 
elements to be authenticated into N slices having a fixed *0 
size, the contents of which are d a for the nth slice. The 
encryption algorithm C(D» K), carried out at the step n, 
gives a result P rt . 

In this case, the following computation is done at 
each step; 65 

Pn=C{d n Xor />„_ j, K) 



where the expression (d* Xor P«_i) represents the Ex- 
clusive-OR combination of d„ and P*_i. 

Naturally, at the first step, n is equal to 1 and there is 
no preceding result P ff _i. The computation can be done 
directly on the first slice of data elements dj. Then: 

P\=*C{d\, K) 

Preferably, the first slice of data elements will include 
the logic characteristics enabling the identification of 
the position and the size of the file as well as the logic 
address of the file and, if necessary, the random number 
Dl given by the application. These characteristics 
therefore comprise the following series of indications: 

Rd: type of the directory in which there is the file of 
data containing the block Bl; for example one byte; 

Nf: number of the file in this directory; for example 
one byte; 

p0; position of the block of information elements Bl 
in relation to the beginning of the file; for example 
one byte; 

LI: length of the block Bl; for example one byte; 
Dl: random data element given by the transaction 

instrument; for example four bytes. 
The first slice therefore comprises, for example, eight 
bytes: 

d] = Td, N/.p^Ll, Dl. 

The other slices will be the succession portions of 
eight bytes of the .block of information elements Bl. 

The Exclusive-OR operation preserves the length of 
the slices of the slicing operation. 

Since the usual encryption algorithms (DES, RSA) 
give results that have the same size as the encrypted 
data elements, the sequence of iterative steps relates, 
each time, to data elements of the same length. 

In the example described more specifically herein, the 
algorithm used for C(D, K) will be the algorithm DES 
published by the National Bureau of Standards of the 
United States of America. A detailed description 
thereof may be obtained from this organization or in the 
Federal Register, Vol. 40, No. 52 (Mar. 17, 1975) and 
Vol. 40, No. 149 (Aug. 1, 1975). 

In brief, the encryption program contained in the 
read-only memory 14 of the card will cause the micro- 
processor first of all to slice the block of information 
elements to be encrypted (block Bl+information ele- 
ments on address, position and size + random data ele- 
ment Dl) into N slices, and then the microprocessor 
will do the actual iterative encryption, in taking account 
of the previously evaluated number of slices. 

The final result P^of the succession of recursive steps 
described further above is transmitted to the transaction 
instrument. The same computation is carried out by this 
instrument and the results are compared for the authen- 
tication of the card. 

The flow chart of FIG. 3 gives a schematic view of 
the essential steps of the authentication program con- 
tained in the read-only memory 14 of the card and car- 
ried out by the microprocessor MP as soon as the instru- 
ment 20 has transmitted the necessary information ele- 
ments, 

A description has thus been given of an original solu- 
tion enabling the use of a variable block length to au- 
thenticate an element such as a memory card. The solu- 
tion prevents authentication if the information block 
does not have the expected logic characteristics (relat- 
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ing to the position, size and logic address of the file) and an Exclusive-OR combination, of the slice d„ and of the 

the expected contents. result Fn l of the execution of the algorithm at the 

What is claimed is: previous step< 

1. A method of encryption that uses data elements to S . A method according to claim 3, wherein a step of 
be authenticated in the form of a block of data elements 5 i terative execution is the execution of the algorithm on 
£T^l a de ^ ermmed locatlon of a determined file a piece of data comprism g, among other elements, the 
?nto ^2rtJS ^LTT^ P ro ^™ that b ™f length of the block of data elements to be authenticated. 

contents of the block said length being variable. 10 f , P ' ^^P^ 11 a g™ h » 15 earned out by using, as 

2. A method according to claim ^wherein the en- ^1° T^Lf 5° 
cryption program sets up a slicing, into N slices, of the SS^^^ 0 " ^ ^ ° f 2? 

set of information elements comprising, firstly, the 'f orm f tIon as j Well as the logic address of the 

block of data elements to be authenticated and, se- fil ^ d ' p ^ ly * a numbe r r L 

condly, other information elements such as said length 15 7 : A method according to any of the above claims 1 

of the block and its position, then it carries out an en- or 2 > wherem data elements to be authenticated are 

cryption program taking into account the number N of contained in the memory of a memory card, wherein 

slices. tne encryption algorithm is performed by a micro- 

3. A method according to one of the claims 1 or 2, processor contained in the card under the control of a 
wherein the encryption program uses an algorithm 20 P r °gram contained in a memory of the card, and 
C(D, K) with a secret key K, which is carried out itera- wherein the result of the encryption is transmitted to 
tively in the following way: tne exterior of the card. 

the block of information elements to be authenticated fi A method according to claim 6, wherein the en- 
is split up into slices of determined size, the nth cryption algorithm uses a secret key that is contained in 
order slice being designated by d„; 25 a memory of the card and has a content which cannot 

the encryption algorithm C(D, K) is carried out itera- be transmitted to the exterior of the card, 

tively on data elements which, at a step n, bring 9. A method of encryption of a block of data located 

into play the slice d„ and the result P„_i of the at a predetermined location, in a predetermined file of 

execution of the algorithm at the previous step memory, encrypting said block of data with additional 

n - 1 * 30 data namely with an address of the predetermined loca- 

4. A method according to claim 3 wherein, at each tion of said block of data, an address of said file, and 
step, the encryption algorithm is carried out on a piece length of said block of data. 

of data which is a simple logic combination, preferable ***** 
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